The Privacy of Medical Records (1)

Part 1

Within the past two years, a substantial amount of attention has been paid to the issue of the privacy of patient records. The Health Insurance Portability and Accountability Act of 1996 required the Secretary of Health and Human Services to make recommendations to Congress on ways to protect the privacy of medical records. Secretary Shalala submitted her proposals to Congress on September 11, 1997. The National Academy of Sciences and the National Association of Insurance Commissioners have issued recommendations of their own. Senator Robert Bennett (R. - Utah) has circulated draft legislation entitled the "Medical Information Confidentiality Act" that may well be the focus of congressional action.Two developments account for this flurry of interest. The first is the growth of electronic medical record-keeping in place of paper records. The National Academy of Sciences report states that the health care industry spent between $10 and $15 billion on information technology in 1996. Much of this expenditure is attributable to creating electronic medical records systems and converting conventionally stored data to electronic formats.
Electronic medical records ("EMRs") appear to present new threats to maintaining the privacy of patient-identifiable medical records. An Electronic medical records can be called up instantaneously by someone with access to the data system and the relevant passwords. Although a paper record can be photocopied and faxed, it is less easy to distribute widely, and requires physical possession for accessibility. Computerized records systems are "black boxes" to many health professionals who are otherwise familiar with traditional records systems; they fear losing control of the systems and having to rely on computer experts who may not have internalized the privacy-related ethics of the medical profession. At the same time, one hears proposals to link all medical records systems so that patient data can be accessed wherever and whenever patients require medical services. This raises the prospect that access to one portion of one record may afford access to all records on an individual.

The Managed Care Conflict
A second reason for the increased concern over medical records privacy is the growth of managed care organizations. In the traditional, fee-for-service model of health care delivery, patient records would be produced and retained by the physician or other provider of services. The patient's health insurer would be given access to selected records needed for claims review. Disclosure of the records required patient authorization, although, typically, patients executed these authorizations automatically and in blanket fashion. In a managed care organization, on the other hand, the provider of care and the insurer, in some sense, are the same entity. Any medical information in the possession of the provider also is held by the insurer. This is clearest in a closed-panel HMO like Kaiser but is present, to a varying degree, in all forms of managed care.The fear here is that the insurer will gain access to medical records that the patient and the provider would not normally transmit and that the insurer will use the data to take action adverse to the patient's interest, such as limiting benefits or terminating the patient's insurance coverage.Special problems are created by employer-sponsored health plans. Here, the plan is essentially the same entity as the employer and the concern is that the employer will have access to medical information possessed by the health plan and will use the information contrary to the employee's interests, such as to terminate employment.The basic solutions that are being proposed are, (continued...)